b"\x0c    IMPLEMENTATION REVIEW OF\nCONTROLS FOR GSA\xe2\x80\x99S PRIVACY ACT DATA\n  REPORT NUMBER A020256/O/T/F03005\n       DATED JANUARY 6, 2003\n    ASSIGNMENT NUMBER A060045\n\n           January 18, 2006\n\x0c\x0cSpecifically, we recommended that the OCPO work together with the OCIO to improve the\nmanagement of GSA\xe2\x80\x99s Privacy Act data by: (1) working with the Office of Acquisition Policy to\nensure that appropriate Privacy Act requirement clauses are included in IT support contracts\nutilized by GSA and that roles and responsibilities for the protection of sensitive data are made\nexplicit for contractors entrusted with such data, (2) updating GSA\xe2\x80\x99s Systems of Records list,\nand (3) ensuring that accountability and responsibility is assigned for identifying and\nimplementing specific controls for each of GSA\xe2\x80\x99s Systems of Records. Your office concurred\nwith these recommendations and has taken specific steps as delineated in the March 2003 time-\nphased action plan.\n\nScope and Methodology\n\nThis implementation review included discussions with information security and privacy\npersonnel in the OCIO and the OCPO to determine if management\xe2\x80\x99s action plan has been\nimplemented and whether conditions identified with the initial review have been resolved. We\nanalyzed Privacy Act clauses recently added to the Federal Acquisition Regulation (FAR),\nincluding Parts 24 and 39. To sample the application of these Privacy Act requirements in IT\nsupport contracts, we reviewed contracts for the Comprehensive Human Resources Integrated\nSystem (CHRIS), the Payroll and Accounting and Reporting (PAR) system, and the GSAJobs\nsystem. We considered applicable statutes, regulations, policies, guidance, and operating\nprocedures, including: the Privacy Act of 1974; Office of Management and Budget (OMB)\nCircular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About\nIndividuals, and Appendix III, Security of Federal Automated Information Resources, November\n28, 2000; OMB\xe2\x80\x99s Implementation Guidance for the E-Government Act of 2002, M-03-18,\nAugust 1, 2003; OMB\xe2\x80\x99s Guidance for Implementing the Privacy Provisions of the\nE-Government Act of 2002, M-03-22, September 26, 2003; the GSA Privacy Act Program, CPO\n1878.1, October 27, 2003; and Conducting Privacy Impact Assessments (PIAs) in GSA, CPO\n1878.2, May 28, 2004. We also reviewed memoranda issued by the OCIO regarding the Privacy\nAct, including the June 22, 2005 memo regarding GSA Privacy Act regulations and Systems of\nRecords notices and the July 15, 2003 memo requesting that Heads of Services and Staff Offices\nand Regional Administrators provide input to update the Agency\xe2\x80\x99s Systems of Records list, and\ninformation disseminated via the Privacy Act Program website maintained by the OCPO.\nFieldwork was completed between October and December 2005.\n\nObservations\n\nWe found that management has taken actions in accordance with the time-phased action plan in\nresponse to our 2003 report; however, conditions raised in the previous report remain. Contracts\nfor two of the three systems we reviewed did not include the appropriate FAR clauses for\nPrivacy Act systems, and GSA\xe2\x80\x99s list of Privacy Act systems, maintained by the OCPO, is still\nnot up-to-date. Further, roles and responsibilities for GSA associates and contractors are not yet\nwell defined, and training has not been provided to ensure that responsible individuals are aware\nof requirements for protecting GSA Privacy Act data.\n\n\n\n\n                                                2\n\x0cRecommendation # 1 - Work with the Office of Acquisition Policy to ensure that\nappropriate Privacy Act requirement clauses are included in IT support contracts utilized\nby GSA and that roles and responsibilities for the protection of sensitive data are made\nexplicit for contractors entrusted with such data.\n\nIn 2003, we reported the need to specify restrictions or penalties for unauthorized disclosures and\nfor GSA IT service contracts to state the need to protect Privacy Act data. Since then, the Office\nof Acquisition Policy has developed contract clauses covering Privacy Act information to be\nused in GSA's IT support contracts, and the OCPO has issued an Order mandating Privacy Act\nclauses to be used in GSA's IT support contracts. During this implementation review, we\nanalyzed four IT support contracts for three Privacy Act Systems: (1) PAR, (2) GSAJobs, and (3)\nCHRIS. We found that two of the contracts did not include or reference the requisite FAR\nclauses. Further, we were unable to verify whether biennial reviews of a random sample of\nGSA's IT support contracts are being completed as required by OMB. These reviews are\nimportant in order to ensure that the wording of each contract makes the provisions of the\nPrivacy Act binding on the contractor. Without appropriate contract provisions for protecting\nPrivacy Act data, the Agency cannot be sure that contractors are aware of restrictions on Privacy\nAct data and the consequences of unauthorized disclosures.\n\nRecommendation # 2 - Update GSA\xe2\x80\x99s Systems of Record list.\n\nWe also reported that the Agency\xe2\x80\x99s list of Privacy Act Systems of Records (SOR) needed to be\nupdated. The Privacy Act of 1974 defines a System of Record as a group of any records under\nthe control of any agency from which information is retrieved by the name of the individual or\nby some identifying number, symbol, or other identifying particular assigned to the individual.\nThe OCPO has issued memoranda to Heads of Services and Staff Offices and to Regional\nAdministrators requesting an update of the Privacy Act SOR under their jurisdiction, and the\nSOR list, as identified on the official GSA Privacy Act Program website, has been updated to\ninclude a major system for managing human resource information. However, the SOR list is not\nyet current and complete. For example, the Federal Acquisition Institute (FAI) Online system,\nFederal Business Opportunities (FedBizOps), Federal Procurement Data System - Next\nGeneration (FPDS-NG), System for Tracking and Administering Real Property (STAR),\nGSAJobs, and USA Services are not yet identified as a SOR on the Privacy Act Program\nwebsite. With the exception of GSAJobs, which is covered under an OPM Privacy Act notice,\nthese systems also do not have published Privacy Act notices. Privacy Act notices are required\nto be published in the Federal Register to report any new use or intended use of the information\nin the system and to provide an opportunity for interested persons to submit written data, views,\nor arguments to the Agency. Additionally, the list of SOR identified on GSA\xe2\x80\x99s Privacy Act\nProgram website has not been updated to remove transferred and obsolete systems, including\nClassified Control Files; the Emergency Notification System; and Incident Reporting,\nInvestigation, Contingency Planning/Analysis, and Security Case Files. Without a complete and\naccurate inventory of SOR, specific risks with these systems may not be adequately addressed.\n\n\n\n\n                                                3\n\x0cRecommendation # 3 - Ensure that accountability and responsibility is assigned for\nidentifying and implementing specific controls for each of GSA\xe2\x80\x99s Systems of Records.\n\nThe need to clarify key roles and responsibilities for protecting GSA\xe2\x80\x99s Privacy Act data from\nunauthorized disclosure was also reported as a matter requiring management attention. At that\ntime, online security training for GSA Associates and contractors did not cover Privacy Act\nrequirements or restrictions on unauthorized disclosures of personal information entrusted to\nthose who work with sensitive files. Further, controls for protecting GSA's sensitive data were\nnot robust enough to adequately address risks in the Agency's automated business environment.\nWe also found that GSA web server files needed to be reviewed for sensitive data to strengthen\ncontrols to prevent improper disclosure of Privacy Act data on GSA web servers both behind and\noutside the firewall. With this implementation review, we found that the Agency has not yet\ndeveloped a Privacy Act training program, increasing the risk of inappropriate disclosure of\nsensitive information. We also found that GSA has not assigned roles and responsibilities to\nverify the implementation of required privacy-related controls, including the incorporation of\nappropriate privacy-related clauses in IT support contracts. Consequently, it is unclear whether\nprivacy-related controls required by the OCPO have been consistently implemented for all GSA\nPrivacy Act systems. While technical controls for Privacy Act data, such as automated content\nmanagement and data leakage technologies are readily available, the Agency does not have\nprocedures in place to apply these beneficial tools. Moreover, general procedures are not yet in\nplace to ensure that controls over sensitive Privacy Act data are in place and operating as\nexpected.\n\nNext Steps\n\nIt is essential that GSA associates and contractors who are increasingly relied on and entrusted\nwith access to Privacy Act data understand the need to safeguard this information and agree to\nprotect it. Since our previous review, the E-Government Act of 2002 emphasized the need to\nadequately protect personal information in Federal IT systems, and OMB now requires that\nPrivacy Impact Assessments be conducted for IT systems that contain personal data on members\nof the general public, including Government employees and contractors. Agency responsibilities\nhave also been expanded to fulfill Privacy Act requirements and improve the protection of\nsensitive data. Given new requirements for controls for Privacy Act systems, the conditions we\nobserved with this implementation review, and related actions requiring additional management\nattention, we recommend that you reassess the Agency\xe2\x80\x99s policies and procedures for protecting\nPrivacy Act data. Because of increasing risks in this area, we plan to continue monitoring\ncontrols for select SOR and Privacy Act data by conducting additional audits in fiscal year 2006.\n\n\n\n\n                                               4\n\x0cWe would like to express our appreciation to you and your staff for your assistance and\ncooperation during this implementation review. Should you have any comments or questions\nabout this review, please contact me or Gwendolyn McGowan, Deputy Assistant Inspector\nGeneral for Audits, Information Technology Audit Office, on (703) 308-1223.\n\n\n\n\nJennifer M. Klimes\nAudit Manager (JA-T)\nInformation Technology Audit Office\n\n\n\n\n                                           5\n\x0c                   IMPLEMENTATION REVIEW OF\n               CONTROLS FOR GSA\xe2\x80\x99S PRIVACY ACT DATA\n                 REPORT NUMBER A020256/O/T/F03005\n                      DATED JANUARY 6, 2003\n                   ASSIGNMENT NUMBER A060045\n\nAttachment A \xe2\x80\x93 Time-Phased Action Plan to Review of GSA\xe2\x80\x99s Privacy Act Data,\n        Report Number A020256/O/T/F03005, Dated January 6, 2003\n\n\n\n\n                                  A-1\n\x0c                                      ACTION PLAN\n\nDesignated Responding Official:             Gail T. Lovelace, Chief People Officer (CPO)\nContact Person:                             Fred Alt, CPO Chief Information\n                                            Officer\nTelephone No.:                              202-501-2518\n\n     AUDIT REPORT                RECOMMENDATION/                      PROPOSED\n       NUMBER                     FINDING NUMBER                 RECOMMENDATION/\n                                                                FINDING COMPLETION\n                                                                         DATE\n   A020256/O/T/F03005                        1                     September 30, 2003\n\nRECOMMENDATION: That the Office of the Chief People Officer (C), with the\nassistance of the Office of the Chief Information Officer (I), work with the Office of\nAcquisition Policy (MV) to ensure that appropriate Privacy Act requirement clauses are\nincluded in IT support contracts utilized by GSA and that roles and responsibilities for the\nprotection of sensitive data are made explicit for contractors entrusted with such data.\n\nManagement Response:\n\nThe Chief People Officer concurs with the findings and the recommendation.\n\nResponsible Organizations:\n\n   ACTION TO BE TAKEN                      SUPPORTING                DOCUMENTATION\n      STEP BY STEP                 DOCUMENTATION TO BE               WILL BE SENT BY\n                                          SENT TO AUDIT                LAST DAY OF\n                                        RESOLUTION AND\n                                     INTERNAL CONTROLS\n                                             DIVISION\n 1. Develop and issue             C, with    Copy of Instructional      April 30, 2003\n Instructional Memorandum         assist-    Memorandum\n addressing basic Privacy Act,    ance of\n Acquisition Policy, and IT       MV & I\n Security issues in GSA.\n\n 2. Develop contract clauses      C, with    Copy of Contract           August 31, 2003\n covering Privacy Act             assist-    Clauses covering\n information to be used in        ance of    Privacy Act\n GSA\xe2\x80\x99s IT support contracts.      MV & I     information\n\n\n\n\n                                            A-2\n\x0c  ACTION TO BE TAKEN                         SUPPORTING            DOCUMENTATION\n     STEP BY STEP                    DOCUMENTATION TO BE           WILL BE SENT BY\n                                            SENT TO AUDIT            LAST DAY OF\n                                          RESOLUTION AND\n                                       INTERNAL CONTROLS\n                                               DIVISION\n3. Issue GSA Order mandating        C, with    Copy of GSA Order   September 30, 2003\nthe Privacy Act clauses to be       assist-\nused in GSA\xe2\x80\x99s IT support            ance of I\ncontracts, along with policy and\nguidance on roles and\nresponsibilities for safeguarding\nsensitive information by\ncontractors and GSA\nemployees.\n\n\n\n\n                                           A-3\n\x0c                                  ACTION PLAN\n\nDesignated Responding Official:       Gail T. Lovelace, Chief People Officer (CPO)\nContact Person:                       Fred Alt, CPO Chief Information\n                                      Officer\nTelephone No.:                        202-501-2518\n\n     AUDIT REPORT             RECOMMENDATION/                     PROPOSED\n       NUMBER                  FINDING NUMBER                 RECOMMENDATION/\n                                                             FINDING COMPLETION\n                                                                    DATE\n   A020256/O/T/F03005                   2                        August 31, 2003\n\nRECOMMENDATION: That the CPO, with the assistance of the CIO, update GSA\xe2\x80\x99s\nSystems of Records List.\n\nManagement Response:\n\nThe CPO concurs with this recommendation.\n\n\n  ACTION TO BE TAKEN                 SUPPORTING                   DOCUMENTATIO\n     STEP BY STEP               DOCUMENTATION TO BE               N WILL BE SENT\n                             SENT TO AUDIT RESOLUTION             BY LAST DAY OF\n                               AND INTERNAL CONTROLS\n                                       DIVISION\n     1. Memorandum to        C     Copy of memorandum               June 30, 2003\n HSSOs and RAs requesting\n an update of Privacy Act\n systems of records under\n their jurisdiction.\n\n     2. Update of Privacy    C     Notification of updated         August 31, 2003\n Act systems of records on         Privacy Act systems of\n Privacy Act website on            Records on Privacy Act\n InSite.                           website\n\n\n\n\n                                      A-4\n\x0c                                        ACTION PLAN\n\nDesignated Responding Official:            Gail T. Lovelace, Chief People Officer (CPO)\nContact Person:                            Fred Alt, CPO Chief Information\n                                           Officer\nTelephone No.:                             202-501-2518\n\n     AUDIT REPORT                    RECOMMENDATION/                PROPOSED\n       NUMBER                         FINDING NUMBER           RECOMMENDATION/\n                                                              FINDING COMPLETION\n                                                                       DATE\n    A020256/O/T/F03005                      3                    September 30, 2003\n\nRECOMMENDATION: That the CPO, with the assistance of the CIO, ensure that\naccountability and responsibility is assigned for identifying and implementing specific\ncontrols for each of GSA\xe2\x80\x99s Systems of Records.\n\nManagement Response:\n\nThe CPO concurs with this recommendation and will work with the CIO to include the\nassignment of accountability and responsibility for implementing controls for each of\nGSA\xe2\x80\x99s systems of records in the GSA Order that will be issued in response to\nRecommendation 1. The process and due dates will be the same as for Recommendation 1.\n\n\n   ACTION TO BE TAKEN                       SUPPORTING            DOCUMENTATION\n      STEP BY STEP                     DOCUMENTATION TO           WILL BE SENT BY\n                                        BE SENT TO AUDIT            LAST DAY OF\n                                         RESOLUTION AND\n                                      INTERNAL CONTROLS\n                                              DIVISION\n 1. Issue GSA Order mandating         C, with Copy of GSA          September 30, 2003\n the Privacy Act clauses to be        assist- Order\n used in GSA\xe2\x80\x99s IT support             ance of\n contracts, along with policy and     MV & I\n guidance on roles and\n responsibilities for safeguarding\n sensitive information by\n contractors and GSA employees.\n\n\n\n\n                                           A-5\n\x0c                           IMPLEMENTATION REVIEW OF\n                       CONTROLS FOR GSA\xe2\x80\x99S PRIVACY ACT DATA\n                         REPORT NUMBER A020256/O/T/F03005\n                              DATED JANUARY 6, 2003\n                           ASSIGNMENT NUMBER A060045\n\n                                  REPORT DISTRIBUTION\n\n                                                             Copies\n\nOffice of the Chief People Officer (C)                          3\n\nOffice of the Chief Information Officer (I)                     3\n\nOffice of Acquisition Policy (MV)                               1\n\nCounsel to the Inspector General (JC)                           1\n\nRegional Inspector General for Auditing (JA-W)                  1\n\nAssistant Inspector General for Auditing (JA and JAO)          2\n\nAssistant Inspector General for Investigations (JI)             1\n\nAudit Follow-up and Evaluation Branch (BECA)                    1\n\nAdministration and Data System Staff (JAS)                     1\n\n\n\n\n                                               B-1\n\x0c"